A malicious campaign leveraged seemingly innocuous Android
dropper apps on the Google Play Store to compromise users’ devices
with banking[1]
malware[2].
These 17 dropper apps, collectively dubbed
DawDropper by Trend Micro, masqueraded as
productivity and utility apps such as document scanners, QR code
readers, VPN services, and call recorders, among others. All these
apps in question have been removed from the app marketplace.
“DawDropper uses Firebase Realtime Database, a third-party cloud
service, to evade detection and dynamically obtain a payload
download address,” the researchers said[3]. “It also hosts
malicious payloads on GitHub.”
Droppers are apps designed to sneak past Google’s Play Store
security checks, following which they are used to download more
potent and intrusive malware on a device, in this case, Octo[4]
(Coper), Hydra[5], Ermac[6], and TeaBot[7].
Attack chains involved the DawDropper malware establishing
connections with a Firebase Realtime Database to receive the GitHub
URL necessary to download the malicious APK file.
The list of malicious apps previously available from the app
store is below –
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner- hyper & smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle photo editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- com.myunique.sequencestore
- com.flowmysequto.yamer
- com.qaz.universalsaver
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
Included among the droppers is an app named “Unicc QR Scanner”
that was previously flagged by Zscaler[8]
earlier this month as distributing the Coper banking trojan, a
variant of the Exobot mobile malware.
Octo is also known to disable Google Play Protect[9]
and use virtual network computing (VNC) to record a victim device’s
screen, including sensitive information such as banking
credentials, email addresses and passwords, and PINs, all of which
are subsequently exfiltrated to a remote server.
Banking droppers, for their part, have evolved[10] since the start of the
year, pivoting away from hard-coded payload download addresses to
using an intermediary to conceal the address hosting the
malware.
“Cybercriminals are constantly finding ways to evade detection
and infect as many devices as possible,” the researchers said.
“Additionally, because there is a high demand for novel ways to
distribute mobile malware, several malicious actors claim that
their droppers could help other cybercriminals disseminate their
malware on Google Play Store, resulting in a dropper-as-a-service
(DaaS[11]) model.”
References
- ^
banking
(thehackernews.com) - ^
malware
(thehackernews.com) - ^
said
(www.trendmicro.com) - ^
Octo
(thehackernews.com) - ^
Hydra
(thehackernews.com) - ^
Ermac
(thehackernews.com) - ^
TeaBot
(thehackernews.com) - ^
flagged
by Zscaler (thehackernews.com) - ^
Google
Play Protect (support.google.com) - ^
evolved
(thehackernews.com) - ^
DaaS
(thehackernews.com)
Read more https://thehackernews.com/2022/07/over-dozen-android-apps-on-google-play.html